﻿<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><!--
 Archive processed by SingleFile 
 url: https://tools.ietf.org/html/rfc5904 
 saved date: Sat Oct 18 2014 04:05:27 GMT+0300 (Финляндия (лето)) 
--><head profile="http://dublincore.org/documents/2008/08/04/dc-html/">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="robots" content="index,follow">
    <meta name="creator" content="rfcmarkup version 1.108">
    <link rel="schema.DC" href="http://purl.org/dc/elements/1.1/">
<meta name="DC.Identifier" content="urn:ietf:rfc:5904">
<meta name="DC.Description.Abstract" content="This document defines a set of Remote Authentication Dial-In User\nService (RADIUS) Attributes that are designed to provide RADIUS\nsupport for IEEE 802.16 Privacy Key Management Version 1. This\ndocument is not an Internet Standards Track specification; it is\npublished for informational purposes.">
<meta name="DC.Creator" content="Glen Zorn <gwz@net-zen.net>">
<meta name="DC.Date.Issued" content="June, 2010">
<meta name="DC.Title" content="RADIUS Attributes for IEEE 802.16 Privacy Key Management Version 1 (PKMv1) Protocol Support">

    <link rel="icon" href="" type="image/png">
    <link rel="shortcut icon" href="" type="image/png">
    <title>RFC 5904 - RADIUS Attributes for IEEE 802.16 Privacy Key Management Version 1 (PKMv1) Protocol Support</title>
    
    
    <style type="text/css">
	body {
	    margin: 0px 8px;
            font-size: 1em;
	}
        h1, h2, h3, h4, h5, h6, .h1, .h2, .h3, .h4, .h5, .h6 {
	    font-weight: bold;
            line-height: 0pt;
            display: inline;
            white-space: pre;
            font-family: monospace;
            font-size: 1em;
	    font-weight: bold;
        }
        pre {
            font-size: 1em;
            margin-top: 0px;
            margin-bottom: 0px;
        }
	.pre {
	    white-space: pre;
	    font-family: monospace;
	}
	.header{
	    font-weight: bold;
	}
        .newpage {
            page-break-before: always;
        }
        .invisible {
            text-decoration: none;
            color: white;
        }
        a.selflink {
          color: black;
          text-decoration: none;
        }
        @media print {
            body {
                font-family: monospace;
                font-size: 10.5pt;
            }
            h1, h2, h3, h4, h5, h6 {
                font-size: 1em;
            }
        
            a:link, a:visited {
                color: inherit;
                text-decoration: none;
            }
            .noprint {
                display: none;
            }
        }
	@media screen {
	    .grey, .grey a:link, .grey a:visited {
		color: #777;
	    }
            .docinfo {
                background-color: #EEE;
            }
            .top {
                border-top: 7px solid #EEE;
            }
            .bgwhite  { background-color: white; }
            .bgred    { background-color: #F44; }
            .bggrey   { background-color: #666; }
            .bgbrown  { background-color: #840; }            
            .bgorange { background-color: #FA0; }
            .bgyellow { background-color: #EE0; }
            .bgmagenta{ background-color: #F4F; }
            .bgblue   { background-color: #66F; }
            .bgcyan   { background-color: #4DD; }
            .bggreen  { background-color: #4F4; }

            .legend   { font-size: 90%; }
            .cplate   { font-size: 70%; border: solid grey 1px; }
	}
    </style>
    <!--[if IE]>
    <style>
    body {
       font-size: 13px;
       margin: 10px 10px;
    }
    </style>
    <![endif]-->

    
</head>
<body>
   <div style="height: 13px;">
      <div onmouseover="this.style.cursor='pointer';" onclick="showElem('legend');" onmouseout="hideElem('legend')" style="height: 6px; position: absolute;" class="pre noprint docinfo bgorange" title="Click for colour legend.">                                                                        </div>
      <div id="legend" class="docinfo noprint pre legend" style="position:absolute; top: 4px; left: 4ex; visibility:hidden; background-color: white; padding: 4px 9px 5px 7px; border: solid #345 1px; " onmouseover="showElem('legend');" onmouseout="hideElem('legend');">
      </div>
   </div>
<span class="pre noprint docinfo top">[<a href="https://tools.ietf.org/html" title="Document search and retrieval page">Docs</a>] [<a href="https://tools.ietf.org/rfc/rfc5904.txt" title="Plaintext version of this document">txt</a>|<a href="https://tools.ietf.org/pdf/rfc5904" title="PDF version of this document">pdf</a>] [<a href="https://tools.ietf.org/html/draft-zorn-radius-pkmv1" title="draft-zorn-radius-pkmv1">draft-zorn-radius...</a>] [<a href="https://tools.ietf.org/rfcdiff?difftype=--hwdiff&amp;url2=rfc5904" title="Inline diff (wdiff)">Diff1</a>] [<a href="https://tools.ietf.org/rfcdiff?url2=rfc5904" title="Side-by-side diff">Diff2</a>]                 </span><br>
<span class="pre noprint docinfo">                                                                        </span><br>
<span class="pre noprint docinfo">                                                           INFORMATIONAL</span><br>
<span class="pre noprint docinfo">                                                                        </span><br>
<pre>Internet Engineering Task Force (IETF)                           G. Zorn
Request for Comments: 5904                                   Network Zen
Category: Informational                                        June 2010
ISSN: 2070-1721


                   <span class="h1"><h1>RADIUS Attributes for IEEE 802.16</h1></span>
       <span class="h1"><h1>Privacy Key Management Version 1 (PKMv1) Protocol Support</h1></span>

Abstract

   This document defines a set of Remote Authentication Dial-In User
   Service (RADIUS) Attributes that are designed to provide RADIUS
   support for IEEE 802.16 Privacy Key Management Version 1.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see <a href="https://tools.ietf.org/html/rfc5741#section-2">Section&nbsp;2 of RFC 5741</a>.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   <a href="http://www.rfc-editor.org/info/rfc5904">http://www.rfc-editor.org/info/rfc5904</a>.

Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to <a href="https://tools.ietf.org/html/bcp78">BCP 78</a> and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in <a href="#section-4">Section 4</a>.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.






<span class="grey">Zorn                          Informational                     [Page 1]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-2" id="page-2" href="#page-2" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   <a href="#section-1">1</a>.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-3">3</a>
   <a href="#section-2">2</a>.  Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-3">3</a>
   <a href="#section-3">3</a>.  Attributes . . . . . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-3">3</a>
     <a href="#section-3.1">3.1</a>.  PKM-SS-Cert  . . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-4">4</a>
     <a href="#section-3.2">3.2</a>.  PKM-CA-Cert  . . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-5">5</a>
     <a href="#section-3.3">3.3</a>.  PKM-Config-Settings  . . . . . . . . . . . . . . . . . . .  <a href="#page-6">6</a>
     <a href="#section-3.4">3.4</a>.  PKM-Cryptosuite-List . . . . . . . . . . . . . . . . . . .  <a href="#page-8">8</a>
     <a href="#section-3.5">3.5</a>.  PKM-SAID . . . . . . . . . . . . . . . . . . . . . . . . .  <a href="#page-9">9</a>
     <a href="#section-3.6">3.6</a>.  PKM-SA-Descriptor  . . . . . . . . . . . . . . . . . . . .  <a href="#page-9">9</a>
     <a href="#section-3.7">3.7</a>.  PKM-AUTH-Key . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
       <a href="#section-3.7.1">3.7.1</a>.  AUTH-Key Protection  . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
   <a href="#section-4">4</a>.  Table of Attributes  . . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
   <a href="#section-5">5</a>.  Diameter Considerations  . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
   <a href="#section-6">6</a>.  Security Considerations  . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
   <a href="#section-7">7</a>.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
   <a href="#section-8">8</a>.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
   <a href="#section-9">9</a>.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
   <a href="#section-10">10</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
     <a href="#section-10.1">10.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>
     <a href="#section-10.2">10.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a>

















<span class="grey">Zorn                          Informational                     [Page 2]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-3" id="page-3" href="#page-3" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


<span class="h2"><h2><a class="selflink" name="section-1" href="#section-1">1</a>.  Introduction</h2></span>

   Privacy Key Management Version 1 (PKMv1) [<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>] is a
   public-key-based authentication and key establishment protocol
   typically used in fixed wireless broadband network deployments.  The
   protocol utilizes X.509 v3 certificates [<a href="https://tools.ietf.org/html/rfc2459" title="&quot;Internet X.509 Public Key Infrastructure Certificate and CRL Profile&quot;">RFC2459</a>], RSA encryption
   [<a href="https://tools.ietf.org/html/rfc2437" title="&quot;PKCS #1: RSA Cryptography Specifications Version 2.0&quot;">RFC2437</a>], and a variety of secret key cryptographic methods to allow
   an 802.16 Base Station (BS) to authenticate a Subscriber Station (SS)
   and perform key establishment and maintenance between an SS and BS.

   This document defines a set of RADIUS Attributes that are designed to
   provide support for PKMv1.  The target audience for this document
   consists of those developers implementing RADIUS support for PKMv1;
   therefore, familiarity with both RADIUS [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>] and the IEEE
   802.16-2004 standard is assumed.

   Please note that this document relies on IEEE.802.16-2004, which
   references <a href="https://tools.ietf.org/html/rfc2437">RFC 2437</a> and <a href="https://tools.ietf.org/html/rfc2459">RFC 2459</a>, rather than any more recent RFCs on
   RSA and X.509 certificates (e.g., <a href="https://tools.ietf.org/html/rfc3447">RFC 3447</a> and <a href="https://tools.ietf.org/html/rfc5280">RFC 5280</a>).

<span class="h2"><h2><a class="selflink" name="section-2" href="#section-2">2</a>.  Acronyms</h2></span>

   CA
      Certification Authority; a trusted party issuing and signing X.509
      certificates.

   For further information on the following terms, please see Section 7
   of [<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>].

   SA
      Security Association

   SAID
      Security Association Identifier

   TEK
      Traffic Encryption Key

<span class="h2"><h2><a class="selflink" name="section-3" href="#section-3">3</a>.  Attributes</h2></span>

   The following subsections describe the Attributes defined by this
   document.  This specification concerns the following values:

      137 PKM-SS-Cert

      138 PKM-CA-Cert

      139 PKM-Config-Settings



<span class="grey">Zorn                          Informational                     [Page 3]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-4" id="page-4" href="#page-4" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


      140 PKM-Cryptosuite-List

      141 PKM-SAID

      142 PKM-SA-Descriptor

      143 PKM-Auth-Key

<span class="h3"><h3><a class="selflink" name="section-3.1" href="#section-3.1">3.1</a>.  PKM-SS-Cert</h3></span>

   Description

      The PKM-SS-Cert Attribute is variable length and MAY be
      transmitted in the Access-Request message.  The Value field is of
      type string and contains the X.509 certificate [<a href="https://tools.ietf.org/html/rfc2459" title="&quot;Internet X.509 Public Key Infrastructure Certificate and CRL Profile&quot;">RFC2459</a>] binding a
      public key to the identifier of the Subscriber Station.

      The minimum size of an SS certificate exceeds the maximum size of
      a RADIUS attribute.  Therefore, the client MUST encapsulate the
      certificate in the Value fields of two or more instances of the
      PKM-SS-Cert Attribute, each (except possibly the last) having a
      length of 255 octets.  These multiple PKM-SS-Cert Attributes MUST
      appear consecutively and in order within the packet.  Upon
      receipt, the RADIUS server MUST recover the original certificate
      by concatenating the Value fields of the received PKM-SS-Cert
      Attributes in order.

   A summary of the PKM-SS-Cert Attribute format is shown below.  The
   fields are transmitted from left to right.

                          1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Type       |      Len      |    Value...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      137 for PKM-SS-Cert

   Len

      &gt; 2

   Value

      The Value field is variable length and contains a (possibly
      complete) portion of an X.509 certificate.



<span class="grey">Zorn                          Informational                     [Page 4]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-5" id="page-5" href="#page-5" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


<span class="h3"><h3><a class="selflink" name="section-3.2" href="#section-3.2">3.2</a>.  PKM-CA-Cert</h3></span>

   Description

      The PKM-CA-Cert Attribute is variable length and MAY be
      transmitted in the Access-Request message.  The Value field is of
      type string and contains the X.509 certificate [<a href="https://tools.ietf.org/html/rfc2459" title="&quot;Internet X.509 Public Key Infrastructure Certificate and CRL Profile&quot;">RFC2459</a>] used by
      the CA to sign the SS certificate carried in the PKM-SS-Cert
      attribute (<a href="#section-3.1">Section 3.1</a>) in the same message.

      The minimum size of a CA certificate exceeds the maximum size of a
      RADIUS attribute.  Therefore, the client MUST encapsulate the
      certificate in the Value fields of two or more instances of the
      PKM-CA-Cert Attribute, each (except possibly the last) having a
      length of 255 octets.  These multiple PKM-CA-Cert Attributes MUST
      appear consecutively and in order within the packet.  Upon
      receipt, the RADIUS server MUST recover the original certificate
      by concatenating the Value fields of the received PKM-CA-Cert
      Attributes in order.

   A summary of the PKM-CA-Cert Attribute format is shown below.  The
   fields are transmitted from left to right.

                          1                   2
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |    Type       |      Len      |    Value...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      138 for PKM-CA-Cert

   Len

      &gt; 2

   Value

      The Value field is variable length and contains a (possibly
      complete) portion of an X.509 certificate.










<span class="grey">Zorn                          Informational                     [Page 5]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-6" id="page-6" href="#page-6" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


<span class="h3"><h3><a class="selflink" name="section-3.3" href="#section-3.3">3.3</a>.  PKM-Config-Settings</h3></span>

   Description

      The PKM-Config-Settings Attribute is of type string [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>].  It
      is 30 octets in length and consists of seven independent fields,
      each of which is conceptually an unsigned integer.  Each of the
      fields contains a timeout value and corresponds to a Type-Length-
      Value (TLV) tuple encapsulated in the IEEE 802.16 "PKM
      configuration settings" attribute; for details on the contents of
      each field, see Section 11.9.19 of [<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>].  One
      instance of the PKM-Config-Settings Attribute MAY be included in
      the Access-Accept message.

   A summary of the PKM-Config-Settings Attribute format is shown below.
   The fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type       |      Len      |       Auth Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       Auth Wait Timeout (cont.)   |      Reauth Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      Reauth Wait Timeout (cont.)  |        Auth Grace Time
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Auth Grace Time (cont.)    |        Op Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Op Wait Timeout (cont.)    |       Rekey Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      Rekey Wait Timeout (cont.)   |         TEK Grace Time
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        TEK Grace Time (cont.)     |     Auth Rej Wait Timeout
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     Auth Rej Wait Timeout (cont.) |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      139 for PKM-Config-Settings

   Len

      30







<span class="grey">Zorn                          Informational                     [Page 6]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-7" id="page-7" href="#page-7" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


   Auth Wait Timeout

      The Auth Wait Timeout field is 4 octets in length and corresponds
      to the "Authorize wait timeout" field of the 802.16 "PKM
      configuration settings" attribute.

   Reauth Wait Timeout

      The Reauth Wait Timeout field is 4 octets in length and
      corresponds to the "Reauthorize wait timeout" field of the 802.16
      "PKM configuration settings" attribute.

   Auth Grace Time

      The Auth Grace Time field is 4 octets in length and corresponds to
      the "Authorize grace time" field of the 802.16 "PKM configuration
      settings" attribute.

   Op Wait Timeout

      The Op Wait Timeout field is 4 octets in length and corresponds to
      the "Operational wait timeout" field of the 802.16 "PKM
      configuration settings" attribute.

   Rekey Wait Timeout

      The Rekey Wait Timeout field is 4 octets in length and corresponds
      to the "Rekey wait timeout" field of the 802.16 "PKM configuration
      settings" attribute.

   TEK Grace Time

      The TEK Grace Time field is 4 octets in length and corresponds to
      the "TEK grace time" field of the 802.16 "PKM configuration
      settings" attribute.

   Auth Rej Wait Timeout

      The Auth Rej Wait Timeout field is 4 octets in length and
      corresponds to the "Authorize reject wait timeout" field of the
      802.16 "PKM configuration settings" attribute.










<span class="grey">Zorn                          Informational                     [Page 7]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-8" id="page-8" href="#page-8" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


<span class="h3"><h3><a class="selflink" name="section-3.4" href="#section-3.4">3.4</a>.  PKM-Cryptosuite-List</h3></span>

   Description

      The PKM-Cryptosuite-List Attribute is of type string [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>] and
      is variable length; it corresponds roughly to the "Cryptographic-
      Suite-List" 802.16 attribute (see Section 11.19.15 of
      [<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>]), the difference being that the RADIUS
      Attribute contains only the list of 3-octet cryptographic suite
      identifiers, omitting the IEEE Type and Length fields.

      The PKM-Cryptosuite-List Attribute MAY be present in an Access-
      Request message.  Any message in which the PKM-Cryptosuite-List
      Attribute is present MUST also contain an instance of the Message-
      Authenticator Attribute [<a href="https://tools.ietf.org/html/rfc3579" title="&quot;RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)&quot;">RFC3579</a>].

      Implementation Note

         The PKM-Cryptosuite-List Attribute is used as a building block
         to create the 802.16 "Security-Capabilities" attribute
         ([<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>], Section 11.9.13); since this document only
         pertains to PKM version 1, the "Version" sub-attribute in that
         structure MUST be set to 0x01 when the RADIUS client constructs
         it.

   A summary of the PKM-Cryptosuite-List Attribute format is shown
   below.  The fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |          Value...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      140 for PKM-Cryptosuite-List

   Len

      2 + 3n &lt; 39, where 'n' is the number of cryptosuite identifiers in
      the list.









<span class="grey">Zorn                          Informational                     [Page 8]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-9" id="page-9" href="#page-9" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


   Value

      The Value field is variable length and contains a sequence of one
      or more cryptosuite identifiers, each of which is 3 octets in
      length and corresponds to the Value field of an IEEE 802.16
      Cryptographic-Suite attribute.

<span class="h3"><h3><a class="selflink" name="section-3.5" href="#section-3.5">3.5</a>.  PKM-SAID</h3></span>

   Description

      The PKM-SAID Attribute is of type string [<a href="https://tools.ietf.org/html/rfc2865" title="&quot;Remote Authentication Dial In User Service (RADIUS)&quot;">RFC2865</a>].  It is 4
      octets in length and contains a PKM Security Association
      Identifier ([<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>], Section 11.9.7).  It MAY be
      included in an Access-Request message.

   A summary of the PKM-SAID Attribute format is shown below.  The
   fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |            SAID               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      141 for PKM-SAID

   Len

      4

   SAID

      The SAID field is two octets in length and corresponds to the
      Value field of the 802.16 PKM SAID attribute

<span class="h3"><h3><a class="selflink" name="section-3.6" href="#section-3.6">3.6</a>.  PKM-SA-Descriptor</h3></span>

   Description

      The PKM-SA-Descriptor Attribute is of type string and is 8 octets
      in length.  It contains three fields, described below, which
      together specify the characteristics of a PKM security
      association.  One or more instances of the PKM-SA-Descriptor
      Attribute MAY occur in an Access-Accept message.




<span class="grey">Zorn                          Informational                     [Page 9]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-10" id="page-10" href="#page-10" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


   A summary of the PKM-SA-Descriptor Attribute format is shown below.
   The fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |            SAID               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    SA Type    |                Cryptosuite                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      142 for PKM-SA-Descriptor

   Len

      8

   SAID

      The SAID field is two octets in length and contains a PKM SAID
      (<a href="#section-3.5">Section 3.5</a>).

   SA Type

      The SA Type field is one octet in length.  The contents correspond
      to those of the Value field of an IEEE 802.16 SA-Type attribute.

   Cryptosuite

      The Cryptosuite field is 3 octets in length.  The contents
      correspond to those of the Value field of an IEEE 802.16
      Cryptographic-Suite attribute.

<span class="h3"><h3><a class="selflink" name="section-3.7" href="#section-3.7">3.7</a>.  PKM-AUTH-Key</h3></span>

   Description

      The PKM-AUTH-Key Attribute is of type string, 135 octets in
      length.  It consists of 3 fields, described below, which together
      specify the characteristics of a PKM authorization key.  The PKM-
      AUTH-Key Attribute MAY occur in an Access-Accept message.  Any
      packet that contains an instance of the PKM-AUTH-Key Attribute
      MUST also contain an instance of the Message-Authenticator
      Attribute [<a href="https://tools.ietf.org/html/rfc3579" title="&quot;RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)&quot;">RFC3579</a>].





<span class="grey">Zorn                          Informational                    [Page 10]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-11" id="page-11" href="#page-11" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


   A summary of the PKM-AUTH-Key Attribute format is shown below.  The
   fields are transmitted from left to right.

                        1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |      Len      |           Lifetime
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
             Lifetime (cont.)      |    Sequence   |     Key...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Type

      143 for PKM-AUTH-Key

   Len

      135

   Lifetime

      The Lifetime field is 4 octets in length and represents the
      lifetime, in seconds, of the authorization key.  For more
      information, see Section 11.9.4 of [<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>].

   Sequence

      The Sequence field is one octet in length.  The contents
      correspond to those of the Value field of an IEEE 802.16 Key-
      Sequence-Number attribute (see [<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>], <a href="#section-11.9.5">Section</a>
      <a href="#section-11.9.5">11.9.5</a>).

   Key

      The Key field is 128 octets in length.  The contents correspond to
      those of the Value field of an IEEE 802.16 AUTH-Key attribute.
      The Key field MUST be encrypted under the public key from the
      Subscriber Station certificate (<a href="#section-3.1">Section 3.1</a>) using RSA encryption
      [<a href="https://tools.ietf.org/html/rfc2437" title="&quot;PKCS #1: RSA Cryptography Specifications Version 2.0&quot;">RFC2437</a>]; see Section 7.5 of [<a href="#ref-IEEE.802.16-2004">IEEE.802.16-2004</a>] for further
      details.

      Implementation Note

         It is necessary that a plaintext copy of this field be returned
         in the Access-Accept message; appropriate precautions MUST be
         taken to ensure the confidentiality of the key.





<span class="grey">Zorn                          Informational                    [Page 11]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-12" id="page-12" href="#page-12" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


<span class="h4"><h4><a class="selflink" name="section-3.7.1" href="#section-3.7.1">3.7.1</a>.  AUTH-Key Protection</h4></span>

   The PKM-AUTH-Key Attribute (<a href="#section-3.7">Section 3.7</a>) contains the AUTH-Key
   encrypted with the SS's public key.  The BS also needs the AK, so a
   second copy of the AK needs to be returned in the Access-Accept
   message.

   It is RECOMMENDED that the AK is encapsulated in an instance of the
   MS-MPPE-Send-Key Attribute [<a href="https://tools.ietf.org/html/rfc2548" title="&quot;Microsoft Vendor-specific RADIUS Attributes&quot;">RFC2548</a>].  However, see <a href="https://tools.ietf.org/html/rfc3579#section-4.3.4">Section&nbsp;4.3.4 of
   RFC 3579</a> [<a href="https://tools.ietf.org/html/rfc3579" title="&quot;RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)&quot;">RFC3579</a>] for details regarding weaknesses in the encryption
   scheme used.

   If better means for protecting the Auth-Key are available (such as
   RADIUS key attributes with better security properties, or means of
   protecting the whole Access-Accept message), they SHOULD be used
   instead of (or in addition to) the MS-MPPE-Send-Key Attribute.

<span class="h2"><h2><a class="selflink" name="section-4" href="#section-4">4</a>.  Table of Attributes</h2></span>

   The following table provides a guide to which attributes may be found
   in which kinds of packets, and in what quantity.

   Request Accept Reject Challenge Acct-Req  #   Attribute
   0+      0      0      0         0        137 PKM-SS-Cert [Note 1]
   0+      0      0      0         0        138 PKM-CA-Cert [Note 2]
   0       0-1    0      0         0        139 PKM-Config-Settings
   0-1     0      0      0         0        140 PKM-Cryptosuite-List
   0-1     0      0      0         0        141 PKM-SAID
   0       0+     0      0         0        142 PKM-SA-Descriptor
   0       0-1    0      0         0        143 PKM-Auth-Key
   0       0-1    0      0         0             MS-MPPE-Send-Key
                                                    [Note 3]

   [Note 1]
      No more than one Subscriber Station Certificate may be transferred
      in an Access-Request packet.

   [Note 2]
      No more than one CA Certificate may be transferred in an Access-
      Request packet.

   [Note 3]
      MS-MPPE-Send-Key is one possible attribute that can be used to
      convey the AK to the BS; other attributes can be used instead (see
      <a href="#section-3.7.1">Section 3.7.1</a>).






<span class="grey">Zorn                          Informational                    [Page 12]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-13" id="page-13" href="#page-13" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


   The following table defines the meaning of the above table entries.

   0   This attribute MUST NOT be present in packet
   0+  Zero or more instances of this attribute MAY be present in packet
   0-1 Zero or one instance of this attribute MAY be present in packet
   1   Exactly one instance of this attribute MUST be present in packet

<span class="h2"><h2><a class="selflink" name="section-5" href="#section-5">5</a>.  Diameter Considerations</h2></span>

   Since the Attributes defined in this document are allocated from the
   standard RADIUS type space (see <a href="#section-7">Section 7</a>), no special handling is
   required by Diameter nodes.

<span class="h2"><h2><a class="selflink" name="section-6" href="#section-6">6</a>.  Security Considerations</h2></span>

   <a href="https://tools.ietf.org/html/rfc3579#section-4">Section&nbsp;4 of RFC 3579</a> [<a href="https://tools.ietf.org/html/rfc3579" title="&quot;RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)&quot;">RFC3579</a>] discusses vulnerabilities of the
   RADIUS protocol.

   <a href="#section-3">Section 3</a> of the paper "Security Enhancements for Privacy and Key
   Management Protocol in IEEE 802.16e-2005" [<a href="#ref-SecEn" title="&quot;Security Enhancements for Privacy and Key Management Protocol in IEEE 802.16e- 2005&quot;">SecEn</a>] discusses the
   operation and vulnerabilities of the PKMv1 protocol.

   If the Access-Request message is not subject to strong integrity
   protection, an attacker may be able to modify the contents of the
   PKM-Cryptosuite-List Attribute, weakening 802.16 security or
   disabling data encryption altogether.

   If the Access-Accept message is not subject to strong integrity
   protection, an attacker may be able to modify the contents of the
   PKM-Auth-Key Attribute.  For example, the Key field could be replaced
   with a key known to the attacker.

   See <a href="#section-3.7.1">Section 3.7.1</a> for security considerations of sending the
   authorization key to the BS.

<span class="h2"><h2><a class="selflink" name="section-7" href="#section-7">7</a>.  IANA Considerations</h2></span>

   IANA has assigned numbers for the following Attributes:

      137 PKM-SS-Cert

      138 PKM-CA-Cert

      139 PKM-Config-Settings

      140 PKM-Cryptosuite-List

      141 PKM-SAID



<span class="grey">Zorn                          Informational                    [Page 13]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-14" id="page-14" href="#page-14" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


      142 PKM-SA-Descriptor

      143 PKM-Auth-Key

   The Attribute numbers are to be allocated from the standard RADIUS
   Attribute type space according to the "IETF Review" policy [<a href="https://tools.ietf.org/html/rfc5226" title="&quot;Guidelines for Writing an IANA Considerations Section in RFCs&quot;">RFC5226</a>].

<span class="h2"><h2><a class="selflink" name="section-8" href="#section-8">8</a>.  Contributors</h2></span>

   Pasi Eronen provided most of the text in <a href="#section-3.7.1">Section 3.7.1</a>.

<span class="h2"><h2><a class="selflink" name="section-9" href="#section-9">9</a>.  Acknowledgements</h2></span>

   Thanks (in no particular order) to Bernard Aboba, Donald Eastlake,
   Dan Romascanu, Avshalom Houri, Juergen Quittek, Pasi Eronen, and Alan
   DeKok for their mostly useful reviews of this document.

<span class="h2"><h2><a class="selflink" name="section-10" href="#section-10">10</a>.  References</h2></span>

<span class="h3"><h3><a class="selflink" name="section-10.1" href="#section-10.1">10.1</a>.  Normative References</h3></span>

   [<a name="ref-IEEE.802.16-2004" id="ref-IEEE.802.16-2004">IEEE.802.16-2004</a>]
              Institute of Electrical and Electronics Engineers, "IEEE
              Standard for Local and metropolitan area networks, Part
              16: Air Interface for Fixed Broadband Wireless Access
              Systems", IEEE Standard 802.16, October 2004.

   [<a name="ref-RFC2865" id="ref-RFC2865">RFC2865</a>]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              <a href="https://tools.ietf.org/html/rfc2865">RFC 2865</a>, June 2000.

   [<a name="ref-RFC3579" id="ref-RFC3579">RFC3579</a>]  Aboba, B. and P. Calhoun, "RADIUS (Remote Authentication
              Dial In User Service) Support For Extensible
              Authentication Protocol (EAP)", <a href="https://tools.ietf.org/html/rfc3579">RFC 3579</a>, September 2003.

   [<a name="ref-RFC5226" id="ref-RFC5226">RFC5226</a>]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", <a href="https://tools.ietf.org/html/bcp26">BCP 26</a>, <a href="https://tools.ietf.org/html/rfc5226">RFC 5226</a>,
              May 2008.

<span class="h3"><h3><a class="selflink" name="section-10.2" href="#section-10.2">10.2</a>.  Informative References</h3></span>

   [<a name="ref-RFC2437" id="ref-RFC2437">RFC2437</a>]  Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
              Specifications Version 2.0", <a href="https://tools.ietf.org/html/rfc2437">RFC 2437</a>, October 1998.

   [<a name="ref-RFC2459" id="ref-RFC2459">RFC2459</a>]  Housley, R., Ford, W., Polk, T., and D. Solo, "Internet
              X.509 Public Key Infrastructure Certificate and CRL
              Profile", <a href="https://tools.ietf.org/html/rfc2459">RFC 2459</a>, January 1999.




<span class="grey">Zorn                          Informational                    [Page 14]</span>
</pre><!--NewPage--><pre class="newpage"><a name="page-15" id="page-15" href="#page-15" class="invisible"> </a>
<span class="grey"><a href="https://tools.ietf.org/html/rfc5904">RFC 5904</a>               RADIUS Attributes for PKMv1             June 2010</span>


   [<a name="ref-RFC2548" id="ref-RFC2548">RFC2548</a>]  Zorn, G., "Microsoft Vendor-specific RADIUS Attributes",
              <a href="https://tools.ietf.org/html/rfc2548">RFC 2548</a>, March 1999.

   [<a name="ref-SecEn" id="ref-SecEn">SecEn</a>]    Altaf, A., Jawad, M., and A. Ahmed, "Security Enhancements
              for Privacy and Key Management Protocol in IEEE 802.16e-
              2005", Ninth ACIS International Conference on Software
              Engineering, Artificial Intelligence, Networking, and
              Parallel/Distributed Computing, 2008.

Author's Address

   Glen Zorn
   Network Zen
   1463 East Republican Street
   #358
   Seattle, WA  98112
   US

   EMail: gwz@net-zen.net
































Zorn                          Informational                    [Page 15]

</pre><br>
<span class="noprint"><small><small>Html markup produced by rfcmarkup 1.108, available from
<a href="http://tools.ietf.org/tools/rfcmarkup/">http://tools.ietf.org/tools/rfcmarkup/</a>
</small></small></span>

</body></html>